b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n            Information Technology Management \n\n              Letter for the United States Coast \n\n            Guard Component of the FY 2010 DHS \n\n                  Financial Statement Audit \n\n\n\n\n\nOIG-11-80                                            May 2011\n\x0c                                                              Office ofInspector General\n\n                                                              U.S. Department of Homeland Security\n                                                              Washington, DC 25028\n\n\n\n\n                                                              Homeland\n                                                              Security\n                                    MA~ 06101\'\n\n                                       Preface\n\nThe Department of Romeland Security (DRS) Office ofInspector General (OIG) was\nestablished by the Homeland Security Act of2002 (Public Law 107-296) by amendment to\nthe Inspector General Act of1978. This is one of a series of audit, inspection, and special\nreports prepared as part of our oversight responsibilities to promote economy, efficiency,\nand effectiveness within the department.\n\nThis report presents the information technology (IT) management letter for the United\nStates Coast Guard component ofthe FY 2010 DRS financial statement audit as of\nSeptember 30,2010. It contains observations and recommendations related to information\ntechnology internal control that were summarized in the Independent Auditors\' Report,\ndated November 12,2010 and presents the separate restricted distribution report mentioned\nin that report. The independent accounting firm KPMG LLP (KPMG) performed the audit\nprocedures at the Coast Guard component in support of the DRS FY 2010 financial\nstatements and prepared this IT management letter. KPMG is responsible for the attached\nIT management letter dated March 22,2011 and the conclusions expressed in it. We do not\nexpress opinions on DRS\' financial statements or internal control or conclusion on\ncompliance with laws and regulations.\n\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. We\ntrust that this report will result in more effective, efficient, and economical operations. We\nexpress our appreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                       Assistant Inspector General\n                                       Office of Information Technology Audits\n\x0c                                KPMG LLP\n                                2001 M Street, NW\n                                Washington, DC 20036-3389\n\nMarch 22, 2011\n\nInspector General\nU.S. Department of Homeland Security\nChief Information Officer\nU.S. Coast Guard\nChief Financial Officer\nU.S. Coast Guard\n\nLadies and Gentlemen:\nWe were engaged to audit the balance sheet of the U.S. Department of Homeland Security (DHS or\nDepartment), as of September 30, 2010 and the related statement of custodial activity for the year\nthen ended (herein after referred to as \xe2\x80\x9cfinancial statements\xe2\x80\x9d). We were also engaged to examine\nthe Department\xe2\x80\x99s internal control over financial reporting of the balance sheet as of September 30,\n2010 and the statement of custodial activity for the year then ended. We were not engaged to audit\nthe statements of net cost, changes in net position, and budgetary resources as of September 30,\n2010 (hereinafter referred to as \xe2\x80\x9cother fiscal year (FY) 2010 financial statements\xe2\x80\x9d), or to examine\ninternal control over financial reporting over the other FY 2010 financial statements.\nBecause of matters discussed in our Independent Auditors\xe2\x80\x99 Report, dated November 12, 2010, the\nscope of our work was not sufficient to enable us to express, and we did not express, an opinion on\nthe financial statements or on the effectiveness of DHS\xe2\x80\x99 internal control over financial reporting of\nthe balance sheet as of September 30, 2010, and related statement of custodial activity for the year\nthen ended. Additional deficiencies in internal control over financial reporting, potentially\nincluding additional material weaknesses and significant deficiencies, may have been identified and\nreported had we been able to perform all procedures necessary to express an opinion on the\nfinancial statements or on the effectiveness of DHS\xe2\x80\x99 internal control over financial reporting of the\nbalance sheet as of September 30, 2010, and related statement of custodial activity for the year then\nended; and had we been engaged to audit the other FY 2010 financial statements, and to examine\ninternal control over financial reporting over the other FY 2010 financial statements.\nA control deficiency exists when the design or operation of a control does not allow management or\nemployees, in the normal course of performing their assigned functions, to prevent, or detect and\ncorrect misstatements on a timely basis. A significant deficiency is a deficiency, or a combination\nof deficiencies, in internal control that is less severe than a material weakness, yet important enough\nto merit attention by those charged with governance. A material weakness is a deficiency, or a\ncombination of deficiencies, in internal control, such that there is a reasonable possibility that a\nmaterial misstatement of the entity\xe2\x80\x99s financial statements will not be prevented, or detected and\ncorrected on a timely basis.\nThe United States Coast Guard (Coast Guard or USCG) is a component of DHS. During our audit\nengagement, we noted certain matters in the areas of information technology (IT) configuration\nmanagement, security management, access controls, and segregation of duties with respect to Coast\nGuard\xe2\x80\x99s financial systems information technology (IT) general controls, which we believe\ncontribute to an IT material weakness at the DHS level. These matters are described in the IT\nGeneral Control and Financial System Functionality Findings and Recommendations by Audit Area\nsection of this letter.\n\n\n\n\n                                KPMG LLP is a Delaware limited liability partnership,\n                                the U.S. member firm of KPMG International Cooperative\n                                (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cThe material weakness described above is presented in our Independent Auditors\xe2\x80\x99 Report, dated\nNovember 12, 2010. This letter represents the separate limited distribution letter mentioned in that\nreport.\nThe control deficiencies described herein have been discussed with the appropriate members of\nmanagement, and communicated through a Notice of Finding and Recommendation (NFR).\nBecause of its inherent limitations, internal control over financial reporting may not prevent, or\ndetect and correct misstatements. Also, projections of any evaluation of effectiveness to future\nperiods are subject to the risk that controls may become inadequate because of changes in\nconditions, or that the degree of compliance with the policies or procedures may deteriorate. We\naim to use our knowledge of Coast Guard gained during our audit engagement to make comments\nand suggestions that are intended to improve internal control over financial reporting or result in\nother operating efficiencies. We have not considered internal control since the date of our\nIndependent Auditors\xe2\x80\x99 Report.\nThe Table of Contents on the next page identifies each section of the letter. We have provided a\ndescription of key Coast Guard financial systems and IT infrastructure within the scope of our\nengagement to audit the FY 2010 DHS financial statements in Appendix A; a listing of the FY 2010\nIT Notices of Findings and Recommendations at Coast Guard in Appendix B; and the status of the\nprior year NFRs and a comparison to current year NFRs in Appendix C; and Coast Guard\nmanagement\xe2\x80\x99s written response in Appendix D. Our comments related to certain additional matters\nhave been presented in a separate letter to the Office of Inspector General and the Coast Guard\nChief Financial Officer.\nCoast Guard\xe2\x80\x99s written response to our comments and recommendations, presented in Appendix D,\nhas not been subjected to auditing procedures and, accordingly, we express no opinion on it.\nThis communication is intended solely for the information and use of DHS and Coast Guard\nmanagement, DHS Office of Inspector General, U.S. Office of Management and Budget, U.S.\nGovernment Accountability Office, and the U.S. Congress, and is not intended to be and should not\nbe used by anyone other than these specified parties.\n\nVery truly yours,\n\x0c                                    Department of Homeland Security \n\n                                       United States Coast Guard \n\n                                Information Technology Management Letter\n                                           September 30, 2010\n\n                     INFORMATION TECHNOLOGY MANAGEMENT LETTER\n\n                                           TABLE OF CONTENTS\n\n                                                                                                      Page\n\n Objective, Scope, and Approach                                                                         1\n\n\n Summary of Findings and Recommendations                                                                 2\n\n\n IT General Controls and Financial System Functionality Findings                                         4\n\n\n Findings and Recommendations                                                                            4\n\n Related to IT Financial Systems Controls:                                                               4\n\n     Configuration Management                                                                            4\n\n     Access Controls                                                                                     5\n\n     Segregation of Duties                                                                               5\n\n     Security Management                                                                                 5\n\n          After-Hours Physical Security Testing                                                          5\n\n          Social Engineering Testing                                                                     6\n\n Related to Financial System Functionality                                                               8\n\n\n Application Controls                                                                                    9\n\n\n Management\xe2\x80\x99s Comments and OIG Response                                                                  9\n\n\n\n\n\n                                                APPENDICES\nAppendix                                          Subject                                             Page\n\n           Description of Key Coast Guard Financial Systems and IT Infrastructure within the Scope\n\n   A                                                                                                   10\n           of the FY 2010 DHS Financial Statement Audit \n\n   B       FY 2010 Notices of IT Findings and Recommendations at Coast Guard                           13 \n\n              \xef\xbf\xbd Notice of Findings and Recommendations \xe2\x80\x93 Definition of Severity Ratings \n              14\n           Status of Prior Year Notices of Findings and Recommendations and Comparison to\n   C                                                                                                   36\n\n           Current Year Notices of Findings and Recommendations at Coast Guard \n\n\n   D       Management\xe2\x80\x99s Comments                                                                       38 \n\n\n\n\n\n           Information Technology Management Letter for the United States Coast Guard \n\n                       Component of the FY 2010 Financial Statement Audit \n\n\x0c                                 Department of Homeland Security \n\n                                    United States Coast Guard \n\n                             Information Technology Management Letter\n                                        September 30, 2010\n\nOBJECTIVE, SCOPE, AND APPROACH \n\n  We were engaged to audit DHS\xe2\x80\x99 balance sheet as of September 30, 2010 and the related statement of\n  custodial activity for the year then ended, we performed an evaluation of information technology\n  general controls (ITGC) at Coast Guard, to assist in planning and performing our audit.\n\n  The Federal Information System Controls Audit Manual (FISCAM), issued by the Government\n  Accountability Office (GAO), formed the basis of our ITGC evaluation procedures. The scope of the\n  ITGC evaluation is further described in Appendix A. FISCAM was designed to inform financial\n  auditors about IT controls and related audit concerns to assist them in planning their audit work and to\n  integrate the work of auditors with other aspects of the financial audit. FISCAM also provides\n  guidance to IT auditors when considering the scope and extent of review that generally should be\n  performed when evaluating general controls and the IT environment of a federal agency. FISCAM\n  defines the following five control functions to be essential to the effective operation of the ITGC\n  environment.\n\n  \xef\xbf\xbd\t   Security Management (SM) \xe2\x80\x93 Controls that provide a framework and continuing cycle of activity\n       for managing risk, developing security policies, assigning responsibilities, and monitoring the\n       adequacy of computer-related security controls.\n  \xef\xbf\xbd\t   Access control (AC) \xe2\x80\x93 Controls that limit and/or monitor access to computer resources (data,\n       programs, equipment, and facilities) to protect against unauthorized modification, loss, and\n       disclosure.\n  \xef\xbf\xbd\t   Configuration Management (CM) \xe2\x80\x93 Controls that help to prevent the implementation of\n       unauthorized programs or modifications to existing programs.\n  \xef\xbf\xbd\t   Segregation of duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n       structure to prevent one individual from controlling key aspects of computer-related operations,\n       thus deterring unauthorized actions or access to assets or records.\n  \xef\xbf\xbd\t   Contingency Planning (CP) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n       without interruption, or with prompt resumption, when unexpected events occur.\n\n  To complement our ITGC audit procedures, we also performed technical security testing for key\n  network and system devices. The technical security testing was performed within a select Coast\n  Guard facility, and focused on test, development, and production devices that directly support Coast\n  Guard\xe2\x80\x99s financial processing and key general support systems. Limited social engineering and after-\n  hours physical security testing was also included in the scope of technical security testing.\n\n  Application controls were not tested for the year ending September 30, 2010 due to the nature of\n  prior-year audit findings.\n\n\n\n\n        Information Technology Management Letter for the United States Coast Guard \n\n                    Component of the FY 2010 Financial Statement Audit \n\n                                         Page 1\n \n\n\x0c                                 Department of Homeland Security \n\n                                    United States Coast Guard \n\n                             Information Technology Management Letter\n                                        September 30, 2010\n\nSUMMARY OF FINDINGS AND RECOMMENDATIONS \n\n  During fiscal year (FY) 2010, Coast Guard took corrective action to address nearly half of the prior\n  year IT control weaknesses. For example, Coast Guard made improvements by strengthening its\n  system security settings over some of its systems at the USCG Finance Center, strengthening account\n  management and configuration management controls over the Workflow Imaging Network System\n  (WINS), and improved the data center controls at the USCG Finance Center (FINCEN). However,\n  during FY 2010, we continued to identify IT general control weaknesses at Coast Guard. The most\n  significant weaknesses from a financial statement audit perspective are related to the controls over\n  authorization, development, implementation, and tracking of IT scripts at FINCEN. These IT control\n  deficiencies limited Coast Guard\xe2\x80\x99s ability to ensure that critical financial and operational data were\n  maintained in such a manner to ensure confidentiality, integrity, and availability. In addition, these\n  deficiencies negatively impacted the internal controls over Coast Guard financial reporting and its\n  operation and we consider them to contribute to a material weakness at the Department level under\n  standards established by the American Institute of Certified Public Accountants. In addition, based\n  upon the results of our test work, we noted that the Coast Guard did not fully comply with the\n  Department\xe2\x80\x99s requirements under the Federal Financial Management Improvement Act (FFMIA).\n  In FY 2010, our IT audit work identified 28 IT findings, of which ten were repeat findings from the\n  prior year and 18 were new findings. In addition, we determined that Coast Guard remediated eight\n  IT findings identified in previous years. Specifically, the Coast Guard took actions to improve\n  aspects of its user recertification process, data center physical security, and scanning for system\n  vulnerabilities. The Coast Guard\xe2\x80\x99s remediation efforts have enabled us to expand our test work into\n  areas that previously were not practical to test, considering management\xe2\x80\x99s acknowledgment of the\n  existence of control deficiencies. Most of the new findings relate to IT systems that were added to\n  our examination scope this year.\n  Collectively, these findings represent deficiencies in four of the five FISCAM key control areas. The\n  FISCAM areas impacted included Security Management, Access Control, Segregation of Duties, and\n  Configuration Management. We also considered the effects of financial systems functionality when\n  testing internal controls since key Coast Guard financial systems are not compliant with FFMIA and\n  are no longer supported by the original software provider. Financial system functionality limitations\n  add to the challenge of addressing systemic internal control weaknesses and strengthening the control\n  environment at the Coast Guard.\n  The majority of the findings indicate a lack of properly designed, detailed, and consistent guidance\n  over financial system controls to enforce DHS Sensitive System Policy Directive 4300A requirements\n  and National Institute of Standards and Technology (NIST) guidance. Specifically, the findings stem\n  from 1) poorly, but improving, designed and operating IT script change control policies and\n  procedures, 2) unverified access controls through the lack of user access privilege re-certifications, 3)\n  entity-wide security program issues involving civilian and contractor background investigation\n  weaknesses, 4) inadequately designed and operating audit log review policies and procedures, 5)\n  physical security and security awareness, and 6) role-based training for individuals with elevated\n  responsibilities.\n\n\n\n\n        Information Technology Management Letter for the United States Coast Guard \n\n                    Component of the FY 2010 Financial Statement Audit \n\n                                         Page 2\n \n\n\x0c                               Department of Homeland Security \n\n                                  United States Coast Guard \n\n                           Information Technology Management Letter\n                                      September 30, 2010\n\nThese deficiencies may increase the risk that the confidentiality, integrity, and availability of system\ncontrols and Coast Guard financial data could be exploited thereby compromising the integrity of\nfinancial data used by management and reported in DHS\xe2\x80\x99 consolidated financial statements.\nWhile the recommendations made by us should be considered by Coast Guard, it is the ultimate\nresponsibility of Coast Guard management to determine the most appropriate method(s) for\naddressing the weaknesses identified based on their system capabilities and available resources.\n\n\n\n\n      Information Technology Management Letter for the United States Coast Guard \n\n                  Component of the FY 2010 Financial Statement Audit \n\n                                       Page 3\n \n\n\x0c                                 Department of Homeland Security \n\n                                    United States Coast Guard \n\n                             Information Technology Management Letter\n                                        September 30, 2010\n\nIT GENERAL CONTROLS AND FINANCIAL SYSTEM\nFUNCTIONALITY FINDINGS\n\n  Findings and Recommendations:\n  Conditions: During the FY 2010 DHS Financial Statement Audit, Coast Guard segment, we\n  identified the following IT and financial system control deficiencies that in the aggregate significantly\n  contribute to the material weakness at the department level. Our findings are divided into two\n  groupings: 1) financial systems controls and 2) IT system functionality.\n  Related to IT Financial Systems Controls\n  Configuration Management\n  We noted that Coast Guard\xe2\x80\x99s core financial system configuration management process controls are\n  not operating effectively, and continue to present risks to DHS financial data confidentiality,\n  integrity, and availability. Financial data in the general ledger may be compromised by automated\n  and manual changes that are not adequately controlled. For example, the Coast Guard uses an IT\n  scripting process to make updates to its core general ledger software as necessary to process financial\n  data. During our FY 2010 testing, we noted that some previously identified control deficiencies were\n  remediated (particularly with the implementation of a new script change management tool in the\n  second half of FY 2010), while other deficiencies continued to exist. The remaining control\n  deficiencies vary in significance. However, three key areas that impact the Coast Guard IT script\n  control environment are:\n  \xef\xbf\xbd\t Script testing requirements \xe2\x80\x93 Limited testing requirements exist to guide FINCEN staff in the\n     development of test plans and guidance over the functional testing that should be performed;\n  \xef\xbf\xbd\t Script testing environment \xe2\x80\x93 Not all script changes were tested in the appropriate test \n\n     environments, as required; and \n\n  \xef\xbf\xbd\t Script audit logging process \xe2\x80\x93 The Coast Guard\xe2\x80\x99s core system databases are logging changes to\n     tables as well as successful and unsuccessful logins. However, no reconciliation between the\n     scripts run and the changes made to the database tables is being performed to monitor the script\n     activities and ensure that all scripts run have been approved.\n  In addition, we noted weaknesses in the script change management process as it relates to the Internal\n  Control over Financial Reporting (ICOFR) process (e.g., the financial statement impact of the\n  changes to FINCEN core accounting system through the script change management process). The\n  Coast Guard has not fully developed and implemented procedures to ensure that a script, planned to\n  be run in production, has been through an appropriate level of review by a group of individuals\n  thoroughly assessing if the script would have a financial statement impact. Furthermore, the rationale\n  documenting the impact of the script, whether deemed as having financial impact or not, is not\n  documented and retained for internal assessment or audit purposes. Internal controls that ensure the\n  reliability of the scripting process must be effective throughout the year, but most importantly during\n  the year-end close-out and financial reporting process.\n\n\n\n\n        Information Technology Management Letter for the United States Coast Guard \n\n                    Component of the FY 2010 Financial Statement Audit \n\n                                         Page 4\n \n\n\x0c                               Department of Homeland Security \n\n                                  United States Coast Guard \n\n                           Information Technology Management Letter\n                                      September 30, 2010\n\nAccess Controls\n\xef\xbf\xbd\t Procedures surrounding the use of monitoring reports over contracted personnel data have not\n   been formally documented.\n\xef\xbf\xbd\t Procedures over the process of finalizing and implementing entity-wide processes for account\n   terminations and related notifications are still in draft and have not been implemented or\n   communicated.\n\xef\xbf\xbd\t Audit log reviews for key financial systems are not being conducted on all key information, and\n   are not being retained for self-assessment and audit purposes.\n\xef\xbf\xbd\t New user access forms are not retained for self-assessment and audit purposes. In addition,\n   evidence of supervisory approval of new users was also not available for review.\n\xef\xbf\xbd\t Access review procedures for key financial applications do not include the review of all user\n   accounts to ensure that all terminated individuals no longer have active accounts, that inactive\n   accounts are locked, and that privileges associated with each individual are still authorized and\n   necessary.\n\xef\xbf\xbd\t Account re-certifications are not being retained for self-assessment and audit purposes.\nSegregation of Duties\n\xef\xbf\xbd\t Audit log reviews are being performed by the system administrator, who is not considered an\n   independent party as required by DHS MD 4300A.\n\nSecurity Management\n\xef\xbf\xbd\t Background investigations for all civilian employees have not been completed and Coast Guard\xe2\x80\x99s\n   civilian position sensitivity designation process is not in compliance with DHS guidance.\n\xef\xbf\xbd\t Coast Guard procedures do not include specific guidance for the program managers on how to set\n   the correct and consistent risk levels and position sensitivity designations for contract employees.\n\xef\xbf\xbd\t Policies and procedures for key control areas are not adequately detailed to provide clear and\n   complete control descriptions.\n\xef\xbf\xbd\t There is a lack of a consistent contractor, civilian and military account termination notification\n   process for Coast Guard systems .\n\xef\xbf\xbd\t During our after-hours physical security and social engineering testing, we identified exceptions\n   in the protection of sensitive user account information. The table on page 6 details the exceptions\n   identified at the various locations tested.\n\nAfter-Hours Physical Security Testing\n\nWe performed after-hours physical security testing to identify risks related to non-technical aspects of\nIT security. These non-technical IT security aspects include physical access to media and equipment\nthat houses financial data and information residing on a Coast Guard employee\xe2\x80\x99s/contractor\xe2\x80\x99s desk,\nwhich could be used by others to gain unauthorized access to systems housing financial information.\nThe testing was performed at various Coast Guard locations that process and/or maintain financial\ndata. The table on the following page provides a summary of our testing results.\n\n      Information Technology Management Letter for the United States Coast Guard \n\n                  Component of the FY 2010 Financial Statement Audit \n\n                                       Page 5\n \n\n\x0c                                    Department of Homeland Security \n\n                                       United States Coast Guard \n\n                                Information Technology Management Letter\n                                           September 30, 2010\n\n                  Security Weaknesses Observed During After Hours Physical Security Testing\n                                                 Coast Guard Locations Tested\n                                 Coast Guard Coast Guard Coast Guard                Coast Guard\n                                 Headquarters        HQ \xe2\x80\x93            Finance           Finance          Total\n                                 (HQ) \xe2\x80\x93 Jemal     Transpoint        Center \xe2\x80\x93           Center \xc2\xad       Exceptions\n       Exceptions Noted             (CG-6)         (CG-84)             Main             Annex          by Type\nPasswords                               3              4                 2                 0               9\nFor Official Use Only (FOUO)           11               0                0                 2              13\nDocuments\nKeys/Badges                             0              1                 0                 0              1\nPersonally Identifiable                 0               1                3                 0              4\nInformation (PII)\nServer Names/IP Addresses               0              0                 0                 3               3\nUnsecured Laptops                       1               2                0                 0               3\nUnsecured External Drives               4              10                0                 2              16\nTerminal root command left              0               0                0                 1              1\nunattended\nDirectory structure map                 0               0                0                 1              1\nunsecured\nCommon Access Cards (CAC)               0              1                 1                 0               2\nSecure ID Token PIN                     2              0                 0                 0               2\nActive computer left unattended         0              0                 0                 1               1\nTotal Exceptions by Location           21              19                6                10              56\nSource: Coast Guard management, OIG, and KPMG direct observation and inspection of work areas.\nNote: Approximately 20-25 desks/offices were examined for each one of the columns in the above table.\n\n    Social Engineering Testing\n\n    Social engineering is defined as the act of attempting to manipulate or deceive individuals into taking\n    action that is inconsistent with DHS policies, such as divulging sensitive information or\n    allowing/enabling computer system access. The term typically applies to deception for the purpose of\n    information gathering, or gaining computer system access, as shown in the following table.\n\n\n Location               Total Called Total Answered Number of people who provided a password\n Coast Guard HQ               45                 11                                  1\n Coast Guard FINCEN           50                 23                                  7\n\n\n    Recommendations: We recommend that the Coast Guard Chief Information Officer (CIO) and Chief\n    Financial Officer, in coordination with the DHS Office of Chief Financial Officer and the DHS Office\n    of the Chief Information Officer, make the following improvements to Coast Guard\xe2\x80\x99s financial\n    management systems and associated information technology security program.\n    Configuration Management:\n    We recommend that the Coast Guard CIO update the scripting policies and procedures to include\n    additional and more detailed test documentation, develop training that addresses all aspects of script\n    testing (including documentation of test documents) and provide training to appropriate CM staff,\n    develop a resource plan (RP) with associated supporting business case(s) to address the database audit\n    logging requirements, develop procedures and perform regular account revalidations for the Serena\n\n            Information Technology Management Letter for the United States Coast Guard \n\n                        Component of the FY 2010 Financial Statement Audit \n\n                                             Page 6\n \n\n\x0c                                Department of Homeland Security \n\n                                   United States Coast Guard \n\n                            Information Technology Management Letter\n                                       September 30, 2010\n\napplication to ensure privileges remain appropriate, and conduct an assessment over the ICOFR\nprocess related to identifying and evaluating scripts that have a financial statement impact.\nAccess Controls:\n\xef\xbf\xbd\t Update account management procedures to effectively track and retain user access\n    documentation;\n\xef\xbf\xbd\t Update account management procedures to provide clear guidance regarding the use of user\n    access forms and update the access form to include an approval signature line;\n\xef\xbf\xbd\t Configure Coast Guard applications to enforce the strong password and password history\n    requirements described in the DHS MD 4300A Policy Directive and update all impacted system\n    documentation accordingly;\n\xef\xbf\xbd\t Update standard operating procedures to address the audit log review and retention procedures;\n\xef\xbf\xbd\t Update audit log review procedures within specific procedures to include more detail in recording\n    the results of the review of the audit logs;\n\xef\xbf\xbd\t Continue with ongoing efforts for identifying, designing, and implementing automated tools to\n    assist in audit log collection, storage, analysis, and reporting which will further improve\n    consistency, timeliness, and accuracy of the reviews when compared with labor and time\n    intensive manual processes;\n\xef\xbf\xbd\t Develop and document an enterprise-wide process that will notify all impacted system owners of\n   terminated, transferred, or retired contractor, military, and civilian personnel;\n\xef\xbf\xbd\t Continue to update procedures to require an annual review of 100% of user accounts for the key\n   financial systems and their associated privileges that are greater than read-only to ensure access is\n   still required;\n\xef\xbf\xbd\t Develop a RP with associated supporting business case(s) to address the installation of Service\n   Pack 3 on all applicable workstations and/or upgrade the operating systems of these workstations\n   to the Coast Guard\xe2\x80\x99s Standard Image; and\n\xef\xbf\xbd\t Develop a RP with associated supporting business case(s) to address the server operating system\n   upgrades to include a technical analysis to ensure server upgrades do not adversely affect system\n   operation.\nSegregation of Duties:\n\xef\xbf\xbd\t Implement separation of duties for Coast Guard System audit log reviews.\nSecurity Management:\n\xef\xbf\xbd\t Update the policies and procedures currently in place to include clear guidance for Program\n   Managers and Contracting Officers to assign contractor risk level(s) and position sensitivity\n   designation requirements in order to verify that all contracts issued by the Coast Guard include\n   the appropriate investigation level requirements;\n\xef\xbf\xbd\t Perform initial background investigations and re-investigations for civilian employees in\n   accordance with DHS directives;\n\n\n\n      Information Technology Management Letter for the United States Coast Guard \n\n                  Component of the FY 2010 Financial Statement Audit \n\n                                       Page 7\n \n\n\x0c                               Department of Homeland Security \n\n                                  United States Coast Guard \n\n                           Information Technology Management Letter\n                                      September 30, 2010\n\n\xef\xbf\xbd\t Update the annual Information Assurance (IA) training to include more robust office \xe2\x80\x9cphysical\n   security\xe2\x80\x9d and \xe2\x80\x9cclean desk\xe2\x80\x9d guidance and instruction and explicitly test individuals during the\n   training on these topic areas;\n\xef\xbf\xbd\t Implement enterprise-wide and site-specific processes for verifying the effectiveness of this\n   training via mechanisms such as scheduled and ad hoc desk checks, training follow-ups, and other\n   management controls;\n\xef\xbf\xbd\t Develop, document, communicate, train, test, and continuously maintain policies and procedures\n   for the cited IT control and process areas;\n\xef\xbf\xbd\t Continue to implement Commandant Instruction Information Assurance Professional\n   Certification; and\n\xef\xbf\xbd\t Improve and utilize its manual tracking process until such time that the Direct Access\n   implementation is in place.\n\n\nRelated to Financial System Functionality\nConditions: We noted that certain financial system functionality limitations are contributing to\ncontrol deficiencies, inhibiting progress on corrective actions for Coast Guard, and preventing the\nCoast Guard from improving the efficiency and reliability of its financial reporting processes. Some\nof the financial system limitations lead to extensive manual and redundant procedures to process\ntransactions, to verify the accuracy of data, and to prepare financial statements. Systemic conditions\nrelated to financial system functionality include:\n\xef\xbf\xbd\t As noted above, Coast Guard\xe2\x80\x99s core financial system configuration management process is not\n   operating effectively due to inadequate controls over IT scripts. The IT script process was\n   instituted as a solution primarily to compensate for system functionality and data quality issues.\n\xef\xbf\xbd\t Financial system audit logs are not readily generated and reviewed, as some of the financial\n   systems are lacking the capability to perform this task efficiently.\n\xef\xbf\xbd\t Production versions of operational financial systems are outdated and do not provide the\n   necessary core functional capabilities (e.g., general ledger capabilities). Financial systems\n   functionality limitations are preventing the Coast Guard from establishing automated processes\n   and application controls that would improve accuracy and reliability, and facilitate efficient\n   processing of certain financial data such as:\n   -   Ensuring proper segregation of duties and access rights such as automating the procurement\n       process to ensure that only individuals who have proper contract authority can approve\n       transactions or setting system access rights within the fixed asset subsidiary ledger;\n   -   Maintaining sufficient data to support Fund Balance with Treasury related transactions,\n       including suspense activity;\n   -   Maintaining adequate posting logic transaction codes to ensure that transactions are recorded\n       in accordance with Generally Accepted Accounting Principles; and\n   -   Tracking detail transactions associated with intragovernmental business and eliminating the\n       need for default codes such as Trading Partner Identification Number that cannot be easily\n       researched.\n\n\n\n       Information Technology Management Letter for the United States Coast Guard \n\n                   Component of the FY 2010 Financial Statement Audit \n\n                                        Page 8\n \n\n\x0c                               Department of Homeland Security \n\n                                  United States Coast Guard \n\n                           Information Technology Management Letter\n                                      September 30, 2010\n\n Recommendations: We recommend that the Coast Guard\xe2\x80\x99s Chief Information Officer and Chief\n Financial Officer update the scripting policies and procedures to include additional and more detailed\n test documentation, develop training that addresses all aspects of script testing (including\n documentation of test documents) and provide training to appropriate CM staff, develop a RP with\n associated supporting business case(s) to address the database audit logging requirements, develop\n procedures and perform regular account revalidations for Serena to ensure privileges remain\n appropriate, and conduct an assessment over the ICOFR process related to identifying and evaluating\n scripts that have a financial statement impact.\n\nAPPLICATION CONTROLS\n Application controls were not tested for the year ending September 30, 2010, due to the nature of the\n prior-year audit findings.\n\n\nMANAGEMENT\xe2\x80\x99S COMMENTS AND OIG RESPONSE\n We obtained written comments on a draft of this report from Coast Guard\xe2\x80\x99s Chief Information Officer\n and Chief Financial Officer. Generally, Coast Guard agreed with all of our findings and\n recommendations. Coast Guard has developed a remediation plan to address these findings and\n recommendations. We have included a copy of the comments in Appendix D.\n\n OIG Response\n We agree with the steps that USCG\xe2\x80\x99s management is taking to satisfy these recommendations.\n\n\n\n\n       Information Technology Management Letter for the United States Coast Guard \n\n                   Component of the FY 2010 Financial Statement Audit \n\n                                        Page 9\n \n\n\x0c                                                                                           Appendix A\n                                   Department of Homeland Security \n\n                                      United States Coast Guard \n\n                               Information Technology Management Letter\n                                          September 30, 2010\n\n\n\n\n                                             Appendix A\n \n\n\nDescription of Key Coast Guard Financial Systems and IT Infrastructure within the Scope of the FY 2010 \n\n                                   DHS Financial Statement Audit\n \n\n\n\n\n\n            Information Technology Management Letter for the United States Coast Guard \n\n                        Component of the FY 2010 Financial Statement Audit \n\n                                             Page 10\n \n\n\x0c                                                                                                Appendix A\n                                  Department of Homeland Security \n\n                                     United States Coast Guard \n\n                              Information Technology Management Letter\n                                         September 30, 2010\n\n\n\nBelow is a description of significant Coast Guard financial management systems and supporting IT\ninfrastructure included in the scope of the DHS Financial Statement Audit \xe2\x80\x93 Coast Guard Component.\n\nLocations of Audit: Coast Guard HQ in Washington, DC; the Coast Guard FINCEN in Chesapeake,\nVirginia (VA); the Operations Supply Center (OSC) in Martinsburg, West Virginia; Aviation Logistics\nCenter (ALC) in Elizabeth City, North Carolina; and the Pay and Personnel Center (PPC) in Topeka,\nKansas.\n\nKey Systems Subject to Audit:\n\nCore Accounting System (CAS)\nCAS is the core accounting system that records financial transactions and generates financial statements for\nthe Coast Guard. CAS is hosted at the Coast Guard\xe2\x80\x99s FINCEN, in Chesapeake, VA. The FINCEN is the\nCoast Guard\xe2\x80\x99s primary data center. CAS is a customized version of Oracle Financials. CAS interfaces with\ntwo other systems located at the FINCEN, WINS and the Financial and Procurement Desktop (FPD).\n\nFPD\nThe FPD application is used to create and post obligations to the core accounting system. It allows users to\nenter funding, create purchase requests, issue procurement documents, perform system administration\nresponsibilities, and reconcile weekly program element status reports. FPD is interconnected with the CAS\nsystem and is located at the FINCEN in Chesapeake, VA.\n\nWINS\nWINS is the document image processing system, which is integrated with an Oracle Developer/2000\nrelational database. WINS allows electronic data and scanned paper documents to be imaged and processed\nfor data verification, reconciliation and payment. WINS utilizes MarkView software to scan documents and\nto view the images of scanned documents and to render images of electronic data received. WINS is\ninterconnected with the CAS and FPD systems and is located at the FINCEN in Chesapeake, VA.\n\nJoint Uniform Military Pay System (JUMPS)\nJUMPS is a mainframe application used for paying USCG active and reserve payroll. JUMPS is located at\nthe PPC in Topeka, Kansas.\n\nDirect Access\nDirect Access is the system of record and all functionality, data entry, and processing of payroll events is\nconducted exclusively in Direct Access. Direct Access is maintained by IBM Application On Demand\n(IBM AOD) in the iStructure data center facility at Tempe, AZ with a hotsite located in a Qwest data center\nin Sterling, VA. Coast Guard personnel that provide system support to Direct Access are located at Coast\nGuard HQ and PPC.\n\n\n\n\n         Information Technology Management Letter for the United States Coast Guard \n\n                     Component of the FY 2010 Financial Statement Audit \n\n                                          Page 11\n \n\n\x0c                                                                                                Appendix A\n                                  Department of Homeland Security \n\n                                     United States Coast Guard \n\n                              Information Technology Management Letter\n                                         September 30, 2010\n\n\n\nGlobal Pay (Direct Access II)\nGlobal Pay provides retiree and annuitant support services. Global Pay is maintained by IBM Application\nOn Demand in the iStructure data center facility at Tempe, AZ with a hotsite located in a Qwest data center\nin Sterling, VA. Coast Guard personnel that provide system support to Global Pay are located at Coast\nGuard HQ and PPC.\n\nShore Asset Management (SAM)\nSAM is hosted at the Coast Guard\xe2\x80\x99s Operation System Center (OSC), in Martinsburg, WV. SAM provides\ncore information about the Coast Guard shore facility assets and facility engineering. The application tracks\nactivities and assist in the management of the Civil Engineering Program and the Facility Engineering\nProgram.\n\nNaval and Electronics Supply Support System (NESSS)\nNESSS is one of four automated information systems that comprise the family of Coast Guard logistics\nsystems. NESSS is a fully integrated system linking the functions of provisioning and cataloging, unit\nconfiguration, supply and inventory control, procurement, depot-level maintenance and property\naccountability, and a full financial ledger.\n\nAviation Logistics Management Information System (ALMIS)\nALMIS provides Coast Guard Aviation logistics management support in the areas of operations,\nconfiguration management, maintenance, supply, procurement, financial, and business intelligence.\nAdditionally, ALMIS covers the following types of information: Financial, Budget, Planning, Aircraft &\nCrew Status, Training & Readiness, and Logistics & Supply. The Aviation Maintenance Management\nInformation System (AMMIS), a subcomponent of ALMIS, functions as the inventory management/fiscal\naccounting component of the ALMIS application. The Aircraft Repair & Supply Center (ARSC)\nInformation Systems Division (ISD) in Elizabeth City, North Carolina hosts the ALMIS application.\n\nCG Treasury Information Executive Repository (CG Tier)\nCG TIER is a financial data warehouse containing summarized and consolidated financial data relating\nUSCG operations. It is one of several supporting applications within CAS Suite designed to support the core\nfinancial services provided by FINCEN. CG TIER provides monthly submissions to DHS Consolidated\nTIER.\n\n\n\n\n         Information Technology Management Letter for the United States Coast Guard \n\n                     Component of the FY 2010 Financial Statement Audit \n\n                                          Page 12\n \n\n\x0c                                                                           Appendix B\n                     Department of Homeland Security \n\n                        United States Coast Guard \n\n                 Information Technology Management Letter\n                            September 30, 2010\n\n\n\n\n                               Appendix B \n\n\n    FY 2010 Notices of IT Findings and Recommendations at Coast Guard \n\n\n\n\n\nInformation Technology Management Letter for the United States Coast Guard \n\n            Component of the FY 2010 Financial Statement Audit \n\n                                 Page 13\n \n\n\x0c                                                                                                 Appendix B\n                                   Department of Homeland Security \n\n                                      United States Coast Guard \n\n                               Information Technology Management Letter\n                                          September 30, 2010\n\nNotice of Findings and Recommendations \xe2\x80\x93 Definition of Severity Ratings:\n\nEach NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on the DHS\nConsolidated Independent Auditor\xe2\x80\x99s Report.\n\n      1 \xe2\x80\x93 Not substantial \n\n      2 \xe2\x80\x93 Less significant \n\n      3 \xe2\x80\x93 More significant \n\n\nThe severity ratings indicate the degree to which the deficiency influenced the determination of severity for\nconsolidated reporting purposes.\n\nThese rating are provided only to assist the Coast Guard in the development of its corrective action plans for\nremediation of the deficiency.\n\n\n\n\n         Information Technology Management Letter for the United States Coast Guard \n\n                     Component of the FY 2010 Financial Statement Audit \n\n                                          Page 14\n \n\n\x0c                                                                           Appendix B\n                     Department of Homeland Security \n\n                        United States Coast Guard \n\n                 Information Technology Management Letter\n                            September 30, 2010\n\n\n\n\n                     Department of Homeland Security \n\n              FY 2010 Information Technology \xe2\x80\x93 Coast Guard \n\n             Notices of Findings and Recommendations \xe2\x80\x93 Detail \n\n\n\n\n\nInformation Technology Management Letter for the United States Coast Guard \n\n            Component of the FY 2010 Financial Statement Audit \n\n                                 Page 15\n \n\n\x0c                                                                                                                             Appendix B\n                                              Department of Homeland Security \n\n                                                 United States Coast Guard \n\n                                          Information Technology Management Letter\n                                                     September 30, 2010\n\n                                Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n                                                United States Coast Guard\n\n                                                                                                                     New       Repeat     Severity\nNFR #                          Condition                                         Recommendation\n                                                                                                                     Issue      Issue      Rating\nCG-IT\xc2\xad   We determined that the Contractor, Civilian, and We               recommend       that   Coast     Guard                 X          2\n10-01    Military Account Termination Notification Process is Headquarters continue with the following\n         still in the planning stages. Requirements still need to efforts:\n         be prioritized and cost estimates need to be developed in    1) Develop a resource plan with\n         order to obtain funding. Coast Guard still plans on                associated supporting business case(s)\n         using Direct Access but will only implement this new               to address account tracking for\n         process once Direct Access has been upgraded,                      terminated, transferred, or retired\n         however, the implementation date has not yet been                  contractor, military, and civilian\n         finalized.                                                         personnel; and,\n\n                                                                       2) Continue existing planning efforts and\n                                                                           develop, document, and implement\n                                                                           enterprise-wide processes that will\n                                                                           notify all impacted system owners of\n                                                                           terminated, transferred, or retired\n                                                                           contractor, military, and civilian\n                                                                           personnel.\n\nCG-IT\xc2\xad   We determined that Coast Guard Headquarters We               recommend        that  Coast   Guard                       X           2\n10-02    incorporated Program Manager guidance to the Headquarters continue with the following\n         Commandant Instruction, as Enclosure 3, so that the efforts:\n         Program Managers could determine the correct risk\n         level and position sensitivity designation. An All Coast\n                                                                  1) Continue to update existing contracts\n         Guard (ALCOAST) message was also released in June\n         that stated all contractors must have a favorable             to include the new contractor\n         fingerprint check and initiated or completed minimum          background check requirements, and\n\n                      Information Technology Management Letter for the United States Coast Guard \n\n                                  Component of the FY 2010 Financial Statement Audit \n\n                                                       Page 16\n \n\n\x0c                                                                                                                            Appendix B\n                                              Department of Homeland Security \n\n                                                 United States Coast Guard \n\n                                          Information Technology Management Letter\n                                                     September 30, 2010\n\n                                                                                                                    New       Repeat     Severity\nNFR #                          Condition                                        Recommendation\n                                                                                                                    Issue      Issue      Rating\n         background investigation in order to obtain a Common              perform associated contractor\n         Access Card (CAC), effective immediately. This has                background checks;\n         resulted in two activities: 1) new contracts will\n         incorporate these new requirements immediately; and 2)        2) Continue to include new contractor\n         existing contracts will incorporate these new                    background check requirements in\n         requirements when new task orders are issued, options            new contracts, and perform associated\n         are exercised, contract modifications are made, etc.             background checks; and\n         Therefore, based upon the renewal/option date of a\n         contract in place prior to the ALCOAST, it could take         3) Develop a resource plan with\n         up to two years before all of the contractors throughout         associated supporting business case(s)\n         Coast Guard will meet these new requirements.                    to address the need for a reporting\n                                                                          mechanism for contractor risk level,\n         Furthermore, as part of our analysis, we were unable to          position sensitivity designation, and\n         determine if Coast Guard had the capability to                   associated background check.\n         consistently produce a current and comprehensive list of\n         all Coast Guard contractors to include valid background\n         investigation information tied to the correct risk level\n         and position sensitivity designation.\n\nCG-IT\xc2\xad   We determined that the Coast Guard will delay issuing We         recommend        that    Coast    Guard               X           2\n10-03    any new or updated guidance/instructions until the Joint Headquarters continue with the following\n         Reform Team (JRT) report/guidance has been issued efforts:\n         and will continue to not comply with the DHS standards\n         in regards to civilian background investigation and\n         reinvestigations. Coast Guard will continue to vet            1) Develop a resource plan with\n         civilian individuals based on the Office of Personnel             associated supporting business case(s)\n         Management requirements and associated methodology                to address fixing the organization-\n         both in terms of initial background investigations and            wide background investigations\n         re-investigations.                                                report; and\n                                                                       2) Continue existing efforts to update,\n         In addition, Coast Guard has created an organization-             document, and implement the overall\n                       Information Technology Management Letter for the United States Coast Guard\n \n\n                                    Component of the FY 2010 Financial Statement Audit \n\n                                                            Page 17\n \n\n\x0c                                                                                                                                Appendix B\n                                                Department of Homeland Security \n\n                                                   United States Coast Guard \n\n                                            Information Technology Management Letter\n                                                       September 30, 2010\n\n                                                                                                                        New       Repeat     Severity\nNFR #                           Condition                                            Recommendation\n                                                                                                                        Issue      Issue      Rating\n         wide automated report that shows the background                       Coast Guard personnel security\n         investigation status of each civilian Coast Guard                     process for civilian personnel, based\n         employee. However, Coast Guard is currently unable to                 upon the JRT report/guidance.\n         consistently generate error-free reports. Coast Guard\n         stated that the report could be corrected within 2 years if\n         additional resources are provided.\n\nCG-IT\xc2\xad   From the period of October 1, 2009 through the                No recommendation required. Coast Guard           X                      1\n10-04    November 29, 2009, adequate guidance was not in               took appropriate corrective action during the\n         place for Coast Guard to properly assess the financial        current fiscal year to remediate the exception\n         statement impact of changes to the production                 that was identified during this fiscal year.\n         environment of CAS, FPD and WINS.\n\n         During this time period, two CAS changes were\n         implemented into production without a proper\n         assessment of the financial statement impact of the\n         proposed changes.\n\n         Upon the effective date of the Financial Impact\n         Determination for Data Scripts and System Change\n         Requests Memorandum on November 30, 2009, Coast\n         Guard began and continued to follow adequate\n         guidance to properly assess the financial statement\n         impact of changes to CAS, FPD and WINS.\n\nCG-IT\xc2\xad   We determined that some previously noted weaknesses We recommend that Coast Guard:                                         X           3\n10-05    were remediated (particularly in the second half of FY\n         2010), while other control deficiencies continued to         1) Update the scripting policies and\n         exist. The remaining control deficiencies that were             procedures to include additional and\n         present throughout FY 2010 vary in significance,                more detailed test documentation;\n         however three key areas that impact the Coast Guard\n                     Information Technology Management Letter for the United States Coast Guard\n \n\n                                   Component of the FY 2010 Financial Statement Audit \n\n                                                           Page 18\n \n\n\x0c                                                                                                                         Appendix B\n                                             Department of Homeland Security \n\n                                                United States Coast Guard \n\n                                         Information Technology Management Letter\n                                                    September 30, 2010\n\n                                                                                                                 New       Repeat     Severity\nNFR #                         Condition                                       Recommendation\n                                                                                                                 Issue      Issue      Rating\n        Script control environment are: 1) Script Testing\n        Requirements; 2) Script Testing Environment; and 3)          2) Develop training that addresses all\n        Script Audit Logging Process.                                    aspects of script testing (including\n          a. Script Testing Requirements: Limited testing                documentation of test documents)\n              requirements exist to guide FINCEN staff in the            and provide training to appropriate\n              development of test plans and guidance over the            CM staff;\n              functional testing that should be performed.\n              Additionally, we determined that there are no          3) Develop a resource plan with\n              detailed requirements over the review and testing          associated supporting business\n              of functional changes to the data. FINCEN only             case(s) to address the database audit\n              tracks and documents the number of transactions            logging requirements;\n              updated on scripts that have a financial impact\n              and not the detailed dollar amounts associated         4) Develop procedures and perform\n              with the financial impact transactions.                    regular account revalidation for\n          b. Script Testing Environment: Not all script                  Serena to ensure privileges remain\n              changes were tested in the appropriate CAS Suite           appropriate; and\n              test environments, as required. FINCEN\n              management informed us that the testing                5) Conduct an assessment over the\n              environments, CAS4 and LUFSFQT3, were                      ICOFR process related to identifying\n              offline for these exceptions due to a refresh of the       and evaluating scripts that have a\n              databases and that testers used CAS3 and Alpha             financial statement impact.\n              as alternate testing environments instead.\n              However, FINCEN management informed\n              KPMG that these environments are refreshed on\n              an as needed basis and no further information\n              could be provided over how frequently the CAS3\n              and Alpha databases were refreshed to verify that\n              the scripts were adequately tested in the\n              appropriate environment. Furthermore, we\n              determined that guidance is not provided over the\n                    Information Technology Management Letter for the United States Coast Guard \n\n                                Component of the FY 2010 Financial Statement Audit \n\n                                                     Page 19\n \n\n\x0c                                                                                                            Appendix B\n                                              Department of Homeland Security \n\n                                                 United States Coast Guard \n\n                                          Information Technology Management Letter\n                                                     September 30, 2010\n\n                                                                                                    New       Repeat     Severity\nNFR #                         Condition                                      Recommendation\n                                                                                                    Issue      Issue      Rating\n              use of alternate testing environments for the\n              testing of scripts to ensure they are adequately\n              tested.\n           c. Script Audit Logging Process: The CAS, FPD,\n              and Sunflower databases are logging changes to\n              tables as well as successful and unsuccessful\n              logins. However, no reconciliation between the\n              scripts run and the changes made to the database\n              tables is being performed to monitor the script\n              activities and ensure that all scripts run have been\n              approved through Change Management Script\n              System or Serena. In addition, we noted that\n              FINCEN has not established a formal process to\n              monitor and review changes made to the\n              Sunflower database including the tables and\n              activities modified by the database\n              administrators.\n        During our test work, we noted weaknesses in the script\n        change management process as it relates to the ICOFR\n        process (e.g., the financial statement impact of the\n        changes to the CAS Suite through the script change\n        management process). While a process exists to\n        identify, and route a script with potential financial\n        statement impact through an assessment process, the\n        review and determination over each script is primarily\n        performed without structured/detailed procedures in\n        place. Furthermore, the rationale documenting the\n        impact of the script, whether deemed as having financial\n        impact or not, is not documented and retained. In\n        addition, within the CAS Suite environment, there are\n                     Information Technology Management Letter for the United States Coast Guard \n\n                                 Component of the FY 2010 Financial Statement Audit \n\n                                                      Page 20\n \n\n\x0c                                                                                                                             Appendix B\n                                              Department of Homeland Security \n\n                                                 United States Coast Guard \n\n                                          Information Technology Management Letter\n                                                     September 30, 2010\n\n                                                                                                                     New       Repeat     Severity\nNFR #                          Condition                                         Recommendation\n                                                                                                                     Issue      Issue      Rating\n         over 200 scripts run on a weekly basis and we noted that\n         the financial statement impact assessment is essentially\n         performed by a single branch, which has authorized only\n         three people to assess the scripts.\nCG-IT\xc2\xad   To complement our IT audit testing efforts as part of the We     recommend      that   Coast     Guard                  X           2\n10-06    FY 2010 DHS Financial Statement Audit and Audit of Headquarters update the annual IA training to\n         ICOFR, we also performed social engineering testing.      include more robust \xe2\x80\x9cphishing\xe2\x80\x9d and \xe2\x80\x9csocial\n                                                                   engineering\xe2\x80\x9d guidance and instruction and\n         During our social engineering testing, we were provided explicitly test individuals during the training\n         with seven users\xe2\x80\x99 passwords.                              on these topic areas.\n\nCG-IT\xc2\xad   A selection of newly created users of the JUMPS            No recommendation required. Coast Guard           X                      1\n10-07    application was made to inspect whether applicable         took appropriate corrective action during the\n         documentation was recorded and retained to identify        current fiscal year to remediate the exception\n         authorized users. We determined that documentation         that was identified during this fiscal year.\n         was not retained for one of the five users selected. We\n         performed inquiry procedures with management to\n         determine that access was appropriately restricted for\n         this user; however, no JUMPS Access Authorization\n         Form could be located. On July 20, 2010, management\n         remediated the exception by completing a new JUMPS\n         Access Authorization Form for the noted user with a\n         copy of the form being entered into the Coast Guard\xe2\x80\x99s\n         imagining repository.\n\nCG-IT\xc2\xad   We determined that the Coast Guard TIER System             No recommendation required. Coast Guard           X                      1\n10-08    password     setting     for    lockout      duration      took appropriate corrective action during the\n         (PASSWORD_LOCK_TIME) is only configured to                 current fiscal year to remediate the exception\n         0.0005 days (less than one minute). This setting was       that was identified during this fiscal year.\n         subsequently changed on 7/19/2010 to a setting of\n                      Information Technology Management Letter for the United States Coast Guard \n\n                                  Component of the FY 2010 Financial Statement Audit \n\n                                                       Page 21\n \n\n\x0c                                                                                                                          Appendix B\n                                             Department of Homeland Security \n\n                                                United States Coast Guard \n\n                                         Information Technology Management Letter\n                                                    September 30, 2010\n\n                                                                                                                  New       Repeat     Severity\nNFR #                          Condition                                       Recommendation\n                                                                                                                  Issue      Issue      Rating\n         \xe2\x80\x9cUNLIMITED\xe2\x80\x9d which requires an administrator to\n         unlock the account. We observed and noted that this\n         change was made by Coast Guard.\n\nCG-IT\xc2\xad   To complement our IT audit testing efforts as part of the We recommend that Coast Guard:                             X           2\n10-09    FY 2010 DHS Financial Statement Audit and Audit of\n         ICOFR, we also performed after-hours physical security\n         testing.                                                     1) Update the annual IA training to\n                                                                          include more robust office \xe2\x80\x9cphysical\n                                                                          security\xe2\x80\x9d and \xe2\x80\x9cclean desk\xe2\x80\x9d guidance\n         We performed after-hours physical security testing to\n                                                                          and instruction and explicitly test\n         identify risks related to non-technical aspects of IT\n                                                                          individuals during the training on\n         security.    These non-technical IT security aspects\n                                                                          these topic areas; and\n         include physical access to media and equipment that\n         houses financial data and information residing on a\n         Coast Guard employee\xe2\x80\x99s/contractor\xe2\x80\x99s desk, which could        2) Implement enterprise-wide and site-\n         be used by others to gain unauthorized access to systems         specific processes for verifying the\n         housing financial information.                                   effectiveness of this training via\n                                                                          mechanisms such as scheduled and ad\n         During our after-hours physical security testing, we             hoc desk checks, training follow-ups,\n         identified the following:                                        and other management controls.\n\n            \xef\xbf\xbd   9 instances of passwords found near desktop\n                computer;\n            \xef\xbf\xbd   13 instances of FOUO information unsecured;\n            \xef\xbf\xbd   4 instances of PII unsecured;\n            \xef\xbf\xbd   16 instances of unsecured external hard drives;\n            \xef\xbf\xbd   4 instances of unsecured secure token IDs;\n            \xef\xbf\xbd   3 instances of unsecured laptop computers;\n            \xef\xbf\xbd   1 instance of a computer terminal root command\n                left unattended;\n                      Information Technology Management Letter for the United States Coast Guard \n\n                                    Component of the FY 2010 Financial Statement Audit \n\n                                                            Page 22\n \n\n\x0c                                                                                                                     Appendix B\n                                              Department of Homeland Security \n\n                                                 United States Coast Guard \n\n                                          Information Technology Management Letter\n                                                     September 30, 2010\n\n                                                                                                             New       Repeat     Severity\nNFR #                           Condition                                    Recommendation\n                                                                                                             Issue      Issue      Rating\n             \xef\xbf\xbd   1 instance of a network directory structure map\n                 left unattended;\n             \xef\xbf\xbd   1 instance of an active on-session computer left\n                 unsecured;\n             \xef\xbf\xbd   3 instances of IP addresses left unsecured; and\n             \xef\xbf\xbd   1 USCG Badge left unsecured.\n\nCG-IT\xc2\xad   During our FY 2010 follow-up test work, we We recommend that Coast Guard:                                       X           1\n10-10    determined that the Role-Based Industry Standards for\n         USCG IA Professionals Commandant Instruction had         1) Continue to implement Commandant\n         been renamed Information Assurance Professional             Instruction Information Assurance\n         Certifications and was formally issued on March 23,         Professional Certification; and.\n         2010. The Instruction stated that all military employees 2) Improve and utilize its manual\n         assigned to an IA role must obtain a required               tracking process until such time that\n         certification within 12 months of the Commandant            the Direct Access implementation is\n         Instruction issue date (i.e., March 23, 2011), and all      in place.\n         civilian employees currently in an IA role would be\n         granted a waiver within 12 months of the Commandant\n         Instruction issue date.\n\n         Although Coast Guard has taken corrective actions to\n         remediate this prior year NFR, we determined that since\n         the corrective actions are planned for completion by\n         March 2011, they were not completed in FY 2010 (i.e.,\n         all IA professionals who are required to obtain/maintain\n         a professional certification within a year of the date of\n         the Instruction did not obtain a certification by the end\n         of FY 2010). Our testing noted that eight (8) or 3.9% of\n         Coast Guard IA professionals out of the total population\n         of 205 have the required certification for their\n\n                      Information Technology Management Letter for the United States Coast Guard \n\n                                  Component of the FY 2010 Financial Statement Audit \n\n                                                       Page 23\n \n\n\x0c                                                                                                                          Appendix B\n                                              Department of Homeland Security \n\n                                                 United States Coast Guard \n\n                                          Information Technology Management Letter\n                                                     September 30, 2010\n\n                                                                                                                  New       Repeat     Severity\nNFR #                          Condition                                       Recommendation\n                                                                                                                  Issue      Issue      Rating\n         prescribed level on file. Furthermore, we noted that 59\n         or 28.7% of Coast Guard IA professionals have not\n         provided evidence of industry-based training.         In\n         addition, through our testing, we could not determine\n         the number of IA professionals that had been granted\n         waivers for the certification requirement. We also noted\n         that 14 Coast Guard System Administrators were not\n         listed as being part of the 205 Coast Guard IA\n         professionals.\n\nCG-IT\xc2\xad   During the FY 2010 IT Audit, a selection of users added We recommend that Coast Guard take the            X                      1\n10-11    to the CG TIER application for the fiscal year was made follow actions:\n         to inspect whether proper documentation was recorded\n         and retained for identify authorized users.         We      1) For the user identified during testing,\n         determined that documentation was not retained for one          complete and retain all appropriate\n         of the two CG TIER users selected. Upon further                 access request documentation; and\n         inquiry with management, we were informed that the          2) Update the CG TIER account\n         identified CG TIER user was authorized access by the            management procedures to effectively\n         Financial Branch Chief; however, the email approval             track and retain user access\n         had been lost.                                                  documentation.\n\nCG-IT\xc2\xad   During our FY 2010 test work, we were informed by the We recommend that Coast Guard:                                 X           2\n10-12    Coast Guard that an annual review of 100% of the\n         Direct Access user accounts with greater than read-only  1) Develop a resource plan with\n         access (and their associated privileges) has not been        associated supporting business\n         performed for this fiscal year.                              case(s) to address the 100% account\n                                                                      review requirement;\n         Coast Guard also informed us that all Direct Access      2) Continue to coordinate with the DHS\n         accounts created and/or modified during the fiscal year      Chief Information Security Officer\xe2\x80\x99s\n         have been reviewed as part of the normal transfer and        (CISO) office to determine and\n                      Information Technology Management Letter for the United States Coast Guard \n\n                                  Component of the FY 2010 Financial Statement Audit \n\n                                                       Page 24\n \n\n\x0c                                                                                                                             Appendix B\n                                              Department of Homeland Security \n\n                                                 United States Coast Guard \n\n                                          Information Technology Management Letter\n                                                     September 30, 2010\n\n                                                                                                                     New       Repeat     Severity\nNFR #                           Condition                                        Recommendation\n                                                                                                                     Issue      Issue      Rating\n         aging processes; however, our testing did not extend to            formalize the frequency and\n         validate this statement. Based upon a risk based                   depth/breadth of effective reviews\n         decision, the Coast Guard has designed a process to                that address the perceived risk. Based\n         review a subset of users that represent the greatest risk          upon the results of these discussions\n         to Direct Access. This annual review would cover                   with the DHS CISO\xe2\x80\x99s office, the\n         approximately 743 Direct Access users. The scope of                Coast Guard will modify procedures\n         the review includes users with payment approval,                   and develop, if applicable, required\n         security administrator permissions, all contractors, and           waivers/exceptions to reflect an\n         users with update/delete permissions.                              adequate percentage of Direct Access\n                                                                            user accounts to be reviewed; and\n         However, since this subset review does not cover 100%         3) Continue to use its existing risk-\n         of the Direct Access user accounts with greater than               based account review efforts until\n         read-only access (and their associated privileges) as              such time that the procedures are\n         required by DHS, we consider this NFR to be re-issued.             updated in response to the activities\n                                                                            associated with the second\n                                                                            recommendation.\n\nCG-IT\xc2\xad   As part of this year\xe2\x80\x99s testing, we identified one security We recommend that Coast Guard:                    X                      1\n10-13    configuration management weakness (i.e., outdated\n         operating system software) on hosts supporting CAS,           1) Develop a resource plan with\n         FPD, and NESSS, as well as those systems\xe2\x80\x99 network                 associated supporting business case(s)\n         infrastructure and associated workstations.                       to address the installation of Service\n                                                                           Pack 3 on all applicable Windows XP\n                                                                           workstations and/or upgrade the\n                                                                           operating systems of these\n                                                                           workstations to the Coast Guard\xe2\x80\x99s\n                                                                           Vista-based Standard Image 6.0;\n\n                                                                       2) Develop a resource plan with\n                                                                           associated supporting business case(s)\n                      Information Technology Management Letter for the United States Coast Guard \n\n                                  Component of the FY 2010 Financial Statement Audit \n\n                                                       Page 25\n \n\n\x0c                                                                                                                               Appendix B\n                                               Department of Homeland Security \n\n                                                  United States Coast Guard \n\n                                           Information Technology Management Letter\n                                                      September 30, 2010\n\n                                                                                                                       New       Repeat     Severity\nNFR #                           Condition                                         Recommendation\n                                                                                                                       Issue      Issue      Rating\n                                                                             to address the server operating system\n                                                                             upgrades to include a technical\n                                                                             analysis to ensure Windows 2003\n                                                                             server upgrades do not adversely\n                                                                             affect system operation; and\n\n                                                                         3) Based upon the results of\n                                                                             Recommendation 1 and\n                                                                             Recommendation 2, schedule and\n                                                                             perform the upgrades and/or patches\n                                                                             of the impacted servers and\n                                                                             workstations.\n\nCG-IT\xc2\xad   During our FY 2010 audit test work, we sampled 25 We recommend the Coast Guard\xe2\x80\x99s Operation                     X                      2\n10-14    new user accesses for NESSS that were granted during Systems Center (OSC) update the NESSS\n         the fiscal year to determine if an access authorization account management Standard Operating\n         form had been completed, if the access had been timely Procedure (SOP) to provide clear guidance\n         approved by the user\xe2\x80\x99s supervisor, and that the forms regarding the use of user access forms and\n         were retained. Based upon our testing, we were unable update the access form to include an approval\n         to obtain 9 of the 25 user access forms. In addition, signature line.\n         evidence of supervisory approval for 9 of the 25\n         sampled users was not available.\nCG-IT\xc2\xad   During the FY 2010 audit test work, Aviation Logistics We recommend that Coast Guard:                          X                      1\n10-15    Center (ALC) visitor logs for the fiscal year were\n         obtained to determine whether proper documentation               1) Develop and maintain a SOP to\n         was recorded and retained for the verification of                   ensure that the ALC Data Center\n         individuals visiting the ALC Data Center and Facility.              Access Control list is kept current and\n         Our testing determined that the ALC Customer Support                that its quarterly review is\n         Desk did not properly complete the visitor logs during              documented and maintained; and\n         the FY 2010 audit period. Specifically, from a total of\n         190 visitor log entries for the fiscal year, 33 visitor log\n                       Information Technology Management Letter for the United States Coast Guard\n \n\n                                     Component of the FY 2010 Financial Statement Audit \n\n                                                               Page 26\n \n\n\x0c                                                                                                                               Appendix B\n                                             Department of Homeland Security \n\n                                                United States Coast Guard \n\n                                         Information Technology Management Letter\n                                                    September 30, 2010\n\n                                                                                                                       New       Repeat     Severity\nNFR #                          Condition                                        Recommendation\n                                                                                                                       Issue      Issue      Rating\n         entries did not have the Date-Out and Time-Out fields        2) Re-emphasize to all ALC Support\n         completed and 31 visitor log entries did not have the            Desk personnel (through training), the\n         Sponsor field completed.                                         importance of properly maintaining\n                                                                          the visitor log and to ensure it is filled\n         Additionally, the ALC Data Center Access Listing was             out completely and accurately.\n         obtained to determine whether a review of the access\n         listing was conducted and evidence of the review was\n         performed and maintained. Our testing determined that\n         the evidence of reviews of the Data Center Access for\n         the FY 2010 period was not maintained. Therefore, we\n         could not determine that the Data Center Access Listing\n         had been properly reviewed during the year.\n\nCG-IT\xc2\xad   During the FY 2010 IT Audit, the AMMIS password           We recommend that the Coast Guard                    X                      1\n10-16    configuration settings were obtained and tested to        configure the AMMIS application to enforce\n         determine whether they complied with DHS policy. Our      the strong password and password history\n         testing determined that the AMMIS subsystem password      requirements described in the DHS\n         configuration settings do not comply with all of the      Management Directive 4300A Policy\n         required DHS password guidelines. Specifically,           Directive and to update all impacted\n         AMMIS password configuration settings did not comply      Certification & Accreditation and system\n         with the following DHS password policy:                   documentation accordingly.\n\n            \xef\xbf\xbd   Contain a combination of alphabetic, numeric,\n                and special characters \xe2\x80\x93 the AMMIS password\n                requires a combination of alphabetic, numeric,\n                or special characters; and\n\n            \xef\xbf\xbd   Not be the same as the previous eight passwords.\n                The AMMIS password configuration is set to be\n                the same as the previous six passwords.\n                      Information Technology Management Letter for the United States Coast Guard \n\n                                  Component of the FY 2010 Financial Statement Audit \n\n                                                       Page 27\n \n\n\x0c                                                                                                                       Appendix B\n                                              Department of Homeland Security \n\n                                                 United States Coast Guard \n\n                                          Information Technology Management Letter\n                                                     September 30, 2010\n\n                                                                                                               New       Repeat     Severity\nNFR #                          Condition                                     Recommendation\n                                                                                                               Issue      Issue      Rating\n\n         Additionally, our testing determined that the current\n         ALMIS System Security Plan (SSP), which includes the\n         system level requirements of the AMMIS subsystem,\n         states that the implemented password configuration does\n         not comply with the current DHS password policy.\n         Specifically, the ALMIS SSP states that the password\n         cannot be the same as the previous 6 passwords;\n         however, DHS guidance states that passwords cannot be\n         the same as the previous 8 passwords.\n\nCG-IT\xc2\xad   To complement our IT audit testing efforts as part of the We recommend that Coast Guard implement                 X           2\n10-17    FY 2010 DHS Financial Statement Audit and Audit of the recommendations presented in Coast\n         ICOFR, we also performed social engineering testing.      Guard IT-NFR-10-06. No additional actions\n                                                                   are required.\n         During our social engineering testing, we were provided\n         with 7 users\xe2\x80\x99 passwords.\n\n         This was the second round of social engineering testing\n         conducted as part the FY 2010 DHS Financial Audit and\n         Audit of Internal Control over Financial Reporting. Our\n         initial testing occurred back on June 30th and July 1st,\n         2010. Our initial testing resulted in Coast Guard IT\xc2\xad\n         NFR-10-06 being issued. The testing approach and\n         scope for the second round of testing was the same as\n         the initial round.\n\n         During our 2nd round social engineering testing, we were\n         provided with two users\xe2\x80\x99 passwords.\n\n\n                      Information Technology Management Letter for the United States Coast Guard \n\n                                  Component of the FY 2010 Financial Statement Audit \n\n                                                       Page 28\n \n\n\x0c                                                                                                                         Appendix B\n                                              Department of Homeland Security \n\n                                                 United States Coast Guard \n\n                                          Information Technology Management Letter\n                                                     September 30, 2010\n\n                                                                                                                 New       Repeat     Severity\nNFR #                          Condition                                      Recommendation\n                                                                                                                 Issue      Issue      Rating\nCG-IT\xc2\xad   Our testing determined that the evidence of reviews over We recommend that Coast Guard:                   X                     2\n10-18    the AMMIS audit logs for the FY 2010 audit period was\n         not maintained by ALC. Therefore, we could not              1) Update the AMMIS Standard\n         determine if the AMMIS audit logs had been properly             Operating Procedures to address the\n         reviewed during the year.                                       audit log review and retention\n                                                                         procedures; and\n         Additionally, our testing determined that reviews of all    2) Implement separation of duties for the\n         deactivated AMMIS accounts may not have been                    AMMIS audit log reviews.\n         performed and evidence of the reviews was not\n         maintained by the ALC. Therefore, we could not\n         determine whether deactivated AMMIS accounts had\n         been properly monitored and reviewed during the year.\n\n         Lastly, we were informed by the ALC that the AMMIS\n         audit logs were not being reviewed by an individual that\n         is considered independent to the process. We noted that\n         an AMMIS system administrator is responsible for\n         reviewing the AMMIS audit logs.\n\nCG-IT\xc2\xad   Our testing determined that evidence of a review and We recommend that Coast Guard:                      X                      2\n10-19    recertification of the 11,306 users with \xe2\x80\x9cUpdate\xe2\x80\x9d\n         privilege in ALMIS was not maintained by the ALC.       1) Develop a resource plan with\n         Therefore, we could not determine that ALMIS user           associated supporting business\n         accounts had been properly reviewed and recertified         case(s) to address the 100% account\n         during the year.                                            review requirement;\n                                                                     2) Continue to coordinate with the DHS\n                                                                         CISO\xe2\x80\x99s office to determine and\n                                                                         formalize the frequency and\n                                                                         depth/breadth of effective reviews\n                                                                         that address the perceived risk.\n\n                      Information Technology Management Letter for the United States Coast Guard \n\n                                  Component of the FY 2010 Financial Statement Audit \n\n                                                       Page 29\n \n\n\x0c                                                                                                                               Appendix B\n                                              Department of Homeland Security \n\n                                                 United States Coast Guard \n\n                                          Information Technology Management Letter\n                                                     September 30, 2010\n\n                                                                                                                       New       Repeat     Severity\nNFR #                           Condition                                          Recommendation\n                                                                                                                       Issue      Issue      Rating\n                                                                             Based upon the results of these\n                                                                             discussions with the DHS CISO\xe2\x80\x99s\n                                                                             office, the Coast Guard will modify\n                                                                             procedures and develop, if\n                                                                             applicable, required\n                                                                             waivers/exceptions to reflect an\n                                                                             adequate percentage of ALMIS user\n                                                                             accounts to be reviewed; and\n                                                                         3) Continue to use its existing risk-\n                                                                             based account review efforts until\n                                                                             such time that the procedures are\n                                                                             updated in response to the activities\n                                                                             associated with the second\n                                                                             recommendation.\n\nCG-IT\xc2\xad   Our testing determined that the AMMIS Software              We recommend that Coast Guard establish            X                      1\n10-20    Change Request Forms were not appropriately                 and follow a management review process to\n         authorized. Specifically, for the four AMMIS software       ensure that any new AMMIS Software\n         changes made during the fiscal year, two of the software    Change Requests processed will be reviewed\n         change request forms were not signed by the Division        by the PC team for the proper/required\n         Chief.                                                      signatures.\n\nCG-IT\xc2\xad   During our FY10 audit test work over the Naval and          Coast Guard took appropriate corrective            X                      2\n10-21    NESSS recertification process, we noted that 32 users       action to remediate the exception that was\n         were assigned the role FLS_USR_ADM_GRP within               identified and no additional corrective actions\n         the NESSS application. This role grants the ability to      are required.\n         add, modify, and delete user accounts. In addition, two\n         of these users were system administrators. This number\n         of users with this elevated role was considered excessive\n         based upon the ratio of this role to the NESSS user\n\n                      Information Technology Management Letter for the United States Coast Guard \n\n                                  Component of the FY 2010 Financial Statement Audit \n\n                                                       Page 30\n \n\n\x0c                                                                                                                               Appendix B\n                                               Department of Homeland Security \n\n                                                  United States Coast Guard \n\n                                           Information Technology Management Letter\n                                                      September 30, 2010\n\n                                                                                                                       New       Repeat     Severity\nNFR #                           Condition                                        Recommendation\n                                                                                                                       Issue      Issue      Rating\n         population.\n\n         On October 7, 2010, OSC management remediated the\n         condition by reducing the number of users with the\n         FLS_USR_ADM_GRP role down to six.\n\nCG-IT\xc2\xad   We determined that OSC had updated the policies and         We recommend that Coast Guard:                                X           2\n10-22    procedures for System Administrators and Database\n         Administrators to include more detail and instructions         1) Update the SAM and NESSS audit\n         on entering sufficient evidence regarding the weekly               log review procedures within the\n         non-independent audit log reviews documented and                   Standard Operating Procedures to\n         tracked in the ClearQuest Ticketing system. We also                include more detail in the ClearQuest\n         noted that the monthly SAM audit log reviews were                  Tickets including recording the\n         being conducted by an independent team.                            results of the review of the audit logs;\n\n         Although OSC has taken steps to remediate the prior            2) Implement     similar separation of\n         year conditions by updating the policies and                       duties for the NESSS audit log\n         completing the monthly independent reviews, we                     reviews as have been implemented for\n         determined that the 3 sampled months of SA and DBA                 the SAM audit log reviews; and\n         audit log reviews did not have sufficient detail on the\n         ClearQuest tickets. Specifically, we identified the            3) Continue with ongoing efforts for\n         following:                                                         identifying,       designing,       and\n                                                                            implementing automated tools to\n             \xef\xbf\xbd   1 of the 3 SA monthly reviews did not have a               assist in audit log collection, storage,\n                 searchable title;                                          analysis, and reporting which will\n             \xef\xbf\xbd   2 of the 3 SA monthly reviews did not include              further      improve       consistency,\n                 results of the audit log review (i.e., audit logs          timeliness, and accuracy of the\n                 had no exceptions.);                                       reviews when compared with labor\n             \xef\xbf\xbd   3 of the 3 DBA monthly reviews did not list                and time intensive manual processes.\n                 the logs that were included in the review; and\n\n                       Information Technology Management Letter for the United States Coast Guard \n\n                                   Component of the FY 2010 Financial Statement Audit \n\n                                                        Page 31\n \n\n\x0c                                                                                                            Appendix B\n                                             Department of Homeland Security \n\n                                                United States Coast Guard \n\n                                         Information Technology Management Letter\n                                                    September 30, 2010\n\n                                                                                                    New       Repeat     Severity\nNFR #                         Condition                                     Recommendation\n                                                                                                    Issue      Issue      Rating\n            \xef\xbf\xbd   3 of the 3 DBA monthly reviews did not have\n                results of the audit log reviews.\n\n        As a result of limitations of the underlying operating\n        system of the Shore Asset Management System AM\n        system:\n            \xef\xbf\xbd The servers do not automatically alert in the\n                event of an incident; and\n            \xef\xbf\xbd The server operating systems do not\n                inherently provide audit reduction and report\n                generation capability.\n\n        Furthermore, the OSC has not implemented a\n        centralized log solution for audit log reduction and\n        reporting, and automated alert notifications.\n\n        NESSS Audit Logs:\n        During our FY 2010 test work for the NESSS, we\n        noted that daily and weekly audit log reviews are\n        performed by the NESSS System Administrator. The\n        weekly audit log reviews are documented in the\n        ClearQuest system with a running ticket for the\n        calendar year. Each week\xe2\x80\x99s review is added to the\n        ClearQuest ticket. However, we determined that there\n        is not sufficient detail in the ClearQuest ticket in\n        recording the results of the review of the audit logs.\n        Furthermore, as similar to SAM audit log review\n        process listed above, OSC has not implemented a\n        centralized log solution for audit log reduction and\n        reporting, and automated alert notifications.       In\n        addition, the weekly reviews are performed by the\n                     Information Technology Management Letter for the United States Coast Guard \n\n                                   Component of the FY 2010 Financial Statement Audit \n\n                                                           Page 32\n \n\n\x0c                                                                                                                            Appendix B\n                                              Department of Homeland Security \n\n                                                 United States Coast Guard \n\n                                          Information Technology Management Letter\n                                                     September 30, 2010\n\n                                                                                                                    New       Repeat     Severity\nNFR #                          Condition                                         Recommendation\n                                                                                                                    Issue      Issue      Rating\n         NESSS System Administrator, who is not considered\n         an independent party as required by DHS MD 4300A.\n\nCG-IT\xc2\xad   During the FY 2010 audit test work, the OSC data We recommend that Coast Guard develop                      X                      1\n 10-23   center access listing was obtained in order to determine detailed procedures for:\n         whether a review of the access listing was conducted\n         and evidence of the review was maintained. OSC               1) Quarterly data center access reviews\n         informed us that they perform a review of the data               to include validating that users have a\n         center access on a quarterly basis. However, our testing         physical need to access the data floor;\n         determined that the evidence of reviews concerning               and\n         OSC data center access for FY 2010 was not\n         maintained. Therefore, we could not determine whether        2) Methods for maintaining the review\n         the OSC data center access listing had been properly             documentation.\n         reviewed during the year.\n\nCG-IT\xc2\xad   During prior financial statement audits dating back to We recommend that Coast Guard:                                  X           3\n10-24    FY 2003, we noted that the implementation and\n         oversight of the Coast Guard\xe2\x80\x99s information security       1) Continue to implement and improve\n         controls needed various improvements. In FY 2010,             upon the monitoring of compliance\n         continued improvements have been made in the areas of         with DHS, Coast Guard, and\n         access controls, entity-level controls, and configuration     Federal security policies and\n         management.       Improvements in the IT control              procedures in the areas of script\n         environment were identified at each of the Coast Guard        configuration management controls\n         financial processing locations where IT audit was             to include the use of the automated\n         previously conducted.                                         tools deployed at the FINCEN; and\n\n         However, significant improvements are still warranted        2) Develop and implement corrective\n         in the area of script configuration management controls         action plans to address and\n         for the key financial systems located at the FINCEN.            remediate the NFRs issued during\n         Script configuration management control is the subject          the FY 2010 audit.\n         of the significant control deficiencies identified and\n                       Information Technology Management Letter for the United States Coast Guard\n \n\n                                     Component of the FY 2010 Financial Statement Audit \n\n                                                           Page 33\n \n\n\x0c                                                                                                                            Appendix B\n                                              Department of Homeland Security \n\n                                                 United States Coast Guard \n\n                                          Information Technology Management Letter\n                                                     September 30, 2010\n\n                                                                                                                    New       Repeat     Severity\nNFR #                          Condition                                         Recommendation\n                                                                                                                    Issue      Issue      Rating\n         recommendations that were developed during the audit.\n         Other weaknesses continued to exist, to a lesser extent,\n         in the areas of access controls and entity-wide security\n         at each of the Coast Guard financial processing\n         locations. These continued weaknesses require Coast\n         Guard to continue with the implementation of their\n         corrective actions plans and monitoring efforts.\n\n         As a result of our audit test work and supported by all\n         the IT NFRs issued during the current year, we\n         determined that Coast Guard is non-compliant with\n         FFMIA.\n\nCG-IT\xc2\xad   During our FY 2010 year-end IT roll-forward audit          The process for obtaining written sign-off on    X                      1\n 10-25   testing procedures, we determined that one (1) of the      PIR forms has recently been replaced with an\n         five (5) FPD, Production Implementation Request            automated workflow process that eliminates\n         (PIR) forms tested was not signed off on by the            the need for written approvals; therefore no\n         analyst/submitter/implementer as required per the          additional corrective actions are required.\n         FINCEN PIR form.\n\nCG-IT\xc2\xad   During the FY 2010 audit test work, we determined that     We recommend that Coast Guard develop,           X                      2\n10-26    ALC policies and procedures for the following control      document, communicate, train, test, and\n         areas are not adequately detailed to provide clear and     continuously maintain policies and procedures\n         complete control descriptions for each of the following    for the cited control and process areas.\n         processes:\n\n            \xef\xbf\xbd   Physical Access to the data center and systems\n                in the data center;\n            \xef\xbf\xbd   Access to Program Libraries;\n            \xef\xbf\xbd   Segregation of Duties in support of the AMMIS\n\n                      Information Technology Management Letter for the United States Coast Guard \n\n                                  Component of the FY 2010 Financial Statement Audit \n\n                                                       Page 34\n \n\n\x0c                                                                                                                     Appendix B\n                                            Department of Homeland Security \n\n                                               United States Coast Guard \n\n                                        Information Technology Management Letter\n                                                   September 30, 2010\n\n                                                                                                             New       Repeat     Severity\nNFR #                         Condition                                      Recommendation\n                                                                                                             Issue      Issue      Rating\n                application;\n            \xef\xbf\xbd   AMMIS Audit Log Review and Retention;\n            \xef\xbf\xbd   Backups and Data Restoration; and\n            \xef\xbf\xbd   Offsite Storage of Backup media.\n\nCG-IT\xc2\xad   The NESSS\xe2\x80\x99 Oracle verify_function in the SYS schema We recommend that Coast Guard review and         X                      1\n10-27    is incorrectly configured and does not include update the Oracle verify_function in the SYS\n         verification of special characters for passwords.   schema to include the verification of special\n                                                             characters for passwords.\n\nCG-IT\xc2\xad   During our FY 2010 audit test work, we followed up We recommend that Coast Guard continue                       X           1\n10-28    with Coast Guard management and were notified that with the PeopleSoft 9.0 upgrade and\n         this Direct Access audit logging weakness, noted in FY PeopleSoft Portal implementation.\n         2009, cannot be resolved until Direct Access is updated\n         to PeopleSoft version 9. There is no current timeline for\n         the upgrade to take place. The following conditions\n         were noted last year and are still open in FY 2010.\n         Not all Direct Access failed logon attempts are logged\n         or reviewed; and account management audit logs for the\n         Direct Access application are not reviewed on a monthly\n         basis, which is a requirement set forth within DHS\n         Policy.\n\n\n\n\n                     Information Technology Management Letter for the United States Coast Guard \n\n                                 Component of the FY 2010 Financial Statement Audit \n\n                                                      Page 35\n \n\n\x0c                                                                              Appendix C\n\n                       Department of Homeland Security \n\n                          United States Coast Guard \n\n                   Information Technology Management Letter\n                              September 30, 2010\n\n\n\n\n                                 Appendix C \n\n\nStatus of Prior Year Notices of Findings and Recommendations and Comparison to \n\n     Current Year Notices of Findings and Recommendations at Coast Guard \n\n\n\n\n\n Information Technology Management Letter for the United States Coast Guard \n\n             Component of the FY 2010 Financial Statement Audit \n\n                                  Page 36\n \n\n\x0c                                                                                               Appendix C\n\n                                 Department of Homeland Security \n\n                                    United States Coast Guard \n\n                             Information Technology Management Letter\n                                        September 30, 2010\n\n                                                                                         Disposition\n\n                                           Description                             Closed       Repeat\n  NFR #\nCG-IT-09-10      Contractor Background Investigation Weakness                                    10-02\n                 Weaknesses with Specialized Role-based Training for Individuals\nCG-IT-09-14      with Significant Security Responsibilities                                      10-10\nCG-IT-09-23      SAM Audit Log Review Weakness                                                   10-22\nCG-IT-09-25      WINS Access Controls Need Strengthening                             X\n                 Weaknesses Exist in the Configuration Management Controls Over\nCG-IT-09-31      the Scripting Process                                                           10-05\n                 Lack of Documented Contractor Tracking System Reconciliation\n                                                                                     X\nCG-IT-09-32      Procedures\n                 Lack of a Consistent Contractor, Civilian, and Military Account\nCG-IT-09-33      Termination Process for Coast Guard Systems                                     10-01\nCG-IT-09-34      WINS Change Control Weakness                                        X\nCG-IT-09-40      Civilian Background Investigation Weakness                                      10-03\nCG-IT-09-42      Non-Compliance with FFMIA \xe2\x80\x93 Information Technology                              10-24\n                 Recertification Weakness within the User Management System\n                                                                                     X\nCG-IT-09-43      (UMS)\n                 FINCEN data center access is not restricted to appropriately\n                                                                                     X\nCG-IT-09-45      authorized personnel\nCG-IT-09-46      Configuration and Patch Management - Vulnerability Assessment       X\nCG-IT-09-49      JUMPS Audit Log Review Weakness                                     X\nCG-IT-09-50      Audit Trail Weaknesses within the Direct Access Application                     10-28\nCG-IT-09-51      Audit Trail Weaknesses within the Global Pay Application            X\nCG-IT-09-52      Recertification Weakness within the Direct Access Application                   10-12\n                 Security Awareness Issues Associated with the Protection of\nCG-IT-09-53      Sensitive Information                                                           10-06\n\n\n\n\n          Information Technology Management Letter for the United States Coast Guard \n\n                      Component of the FY 2010 Financial Statement Audit \n\n                                           Page 37\n \n\n\x0c                                                                                                               Appendix D\n\n                                 Department of Homeland Security \n\n                                    United States Coast Guard \n\n                             Information Technology Management Letter\n                                        September 30, 2010\n\n\n                                                                           2100 second Street. SW, Stop 7101\n u.s. Do"rtmoo\'\n Homeland       O~1I1\n           S&curity\n                                         Corrmandar>t\n                                         Un~ed Slates ~$t GlIlIrd          W~",lin~I"f1,   DC 20000-7101\n                                                                           St8If Syrr.boJo 00-6\n                                                                           Pilon.: (202) ~75--3500\n United States                                                             Fax: \\2(2) 475-3930\nCoast Guard                                                                Emai: RobertE.Oay@yscg.mil\n\n                                                                           5500\n                                                                            FED 24 2011\nFrom             ay, RD, L                                                  Reply to: CG-632\n         C     D ,~q-                                                       Attn of:       Bruce Krebs\n                                                                                           (202) 47:\'i.35R\'i\n         K.A. Tayto(~ll\'llr-\xc2\xad\n         COMDT (CO-a)\n\nTo:      Mr. Frank Deffer\n         Assistant Inspector General\n         Information Technology Audits\nSubj:    RESPONSE TO INFORMATION TECHNOLOGY MANAGElv1ENT LETTER FOR\n         THE U.S. COAST GUARD COMPONENT OF THE FISCAL YEAR 2010 DHS\n         INTEGRATED AUDIT\n\nRef:     (a) DHS OIG Memo dtd 14 Feb 2011\n\n1. In response to reference (a), thank you for the DHS Office of the Inspector General\'s (010)\n   thorough, independent review of the general Information Technology (IT) oontrols associated\n   with the USCG financiaJ processing envirorunem, IT infrastructure, and overall secUrity\n   program. This process, combined with other proactive activities, helps the USCG improve\n   its Information Security (INFOSEC) posture.\n\n2. The   oro identified several conditions and findings that require corrective actions by the\n   USCG. The USCG concurs with the basis for the conditions and findings that were\n   docwnented in the FYlO IT Notice of Findings and Recommendations (NFRs) and\n   summarized within the IT Management Letter. Specific details of those findings, and their\n   potentil11 impl1CfS, will be discllssed el1rly in the FYI I audit during the prior year\'s review\n   process.\n\n3. Duling the course of the audit, the USCG conducted a series of root cause analyses and\n   determined the most appropriate merhod(s) for addressing identified weaknesses based upon\n   system capabilities and resources. The USCG concinues to implement and execute corrective\n   !:lctiom> to alldn:::;s the: wulc:rlying condilions and findings to mitigate risk and improve\n   !\';ecllrity. The.<;e corrective actiom (Le., \'Plan!\'. of Action and Mi1e~j)ne." (POA&M.<;,)) I1Te\n   developed, monitored, and reported via the DHS Trusted AgentFISMA (TAF) 1001. FYIO\n   IT NFR remediation is overseen by the USCG CIO\'s Office (CG-6), with the exception of IT\n   NFR CG-IT-IO-05 (scripts) which is led by the USCG CFO\'s Office (CG-8).\n\n4. With respect 10 the Material Weakness associated with IT NFR 10-05, the USCG has\n   estaUli~he<l a t"\'lUli to a<ldr",s~ the loot IVaUS"\'~ assuo.;iated with Couli.g,uratiou Mauagt:lllt:ut\n   Controls Over the Scripting Process. The NFR material weakness is based on the financial\n\n\n\n        Information Technology Management Letter for the United States Coast Guard \n\n                    Component of the FY 2010 Financial Statement Audit \n\n                                         Page 38\n \n\n\x0c                                                                                          Appendix D\n\n                               Department of Homeland Security \n\n                                  United States Coast Guard \n\n                           Information Technology Management Letter\n                                      September 30, 2010\n\n\nSUBJ: RESPONSE TO INFORMATION TECHNOLOGY MANAGEMENT                                5500\n      LETTER FOR THE U.S, COAST GUARD COMPONENT OF THE\n      FISCAL YEAR 2010 DHS INTEGRATED AUDIT                                       FEB 24 2011\n\n\n   impact of the scripts, related to Internal Controls Over Financial Reporting (ICOFR). In\n   addition, there is still some remediation work underway with IT general controls with script\n   testing requirements, environment, and the logging process.\n\n5. The USCG understands the need to continuously improve IT security opeThtions and has\n   demonstrated this commitment by proactively seeking ways to improve controls governing\n   the script process, T:.1e majority of the USCG system-oriented IT NFRs will be mitigated as\n   they were identified during the audit or early within FYIl. The USCG looks forward to\n   workillg with the DRS OIG during the FYI 0 audit, where we a.1ticipate confirmation of our\n   corrective action approach through measurable, t,mgible results.\n\n\nCopy:   (G-63\n        (G-65\n        (G\xc2\xb784\n        CG\xc2\xb785\n\n\n\n\n        Information Technology Management Letter for the United States Coast Guard \n\n                    Component of the FY 2010 Financial Statement Audit \n\n                                         Page 39\n \n\n\x0c                     Department of Homeland Security \n\n                        United States Coast Guard\n \n\n                 Information Technology Management Letter\n                            September 30, 2010\n\n          Report Distribution\n\n          Department of Homeland Security\n\n          Secretary\n          Deputy Secretary\n          General Counsel\n          Chief of Staff\n          Deputy Chief of Staff\n          Executive Secretariat\n          Under Secretary, Management\n          Commandant, USCG\n          DHS Chief Information Officer\n          DHS Chief Financial Officer\n          Chief Financial Officer, USCG\n          Chief Information Officer, USCG\n          Chief Information Security Officer\n          Assistant Secretary for Office of Policy\n          Assistant Secretary for Office of Public Affairs\n          Assistant Secretary for Office of Legislative Affairs\n          DHS GAO OIG Audit Liaison\n          Chief Information Officer, Audit Liaison\n          USCG Audit Liaison\n\n          Office of Management and Budget\n\n          Chief, Homeland Security Branch\n          DHS OIG Budget Examiner\n\n          Congress\n\n          Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\nInformation Technology Management Letter for the United States Coast Guard \n\n            Component of the FY 2010 Financial Statement Audit \n\n                                 Page 40\n \n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'